BUG #19433: json_object_agg_unique Crashes When Used as Window Function

The following bug has been logged on the website:

Bug reference: 19433
Logged by: chunling qin
Email address: 303677365(at)qq(dot)com
PostgreSQL version: 15.0
Operating system: centos
Description:

## Summary

`json_object_agg_unique()` causes a segmentation fault when used as a window
function with `ORDER BY` clause. The crash occurs due to a use-after-free
bug where the internal hash table pointer is accessed after being freed.

---

## Environment

| Item | Value |
|------|-------|
| PostgreSQL Version | 15devel (development build) |
| Commit | 7103ebb7aa |
| Platform | x86_64-pc-linux-gnu |
| Test Date | 2026-03-13 |

## Steps to Reproduce

### 1. Create Test Table

```sql
CREATE TABLE test_json_window (partkey int, key text, value text);

INSERT INTO test_json_window VALUES
(1, 'k1', 'v1'),
(1, 'k2', 'v2'),
(1, 'k3', 'v3'),
(2, 'k4', 'v4'),
(2, 'k5', 'v5');
```

### 2. Trigger Crash

```sql
-- This query causes segmentation fault
SELECT
partkey,
key,
json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY
key) AS result
FROM test_json_window;
```

### 3. Expected vs Actual Behavior

| Scenario | Result |
|----------|--------|
| Without `ORDER BY` | Works correctly |
| With `ORDER BY` | Server crashes (SIGSEGV) |

---

## Error Output

```
2026-03-13 11:06:13.546 CST [345156] LOG: server process (PID 345761) was
terminated by signal 11: Segmentation fault
2026-03-13 11:06:13.546 CST [345156] DETAIL: Failed process was running:
SELECT
partkey,
key,
json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY
key) AS result
FROM test_json_window;
```

---

## Stack Trace

```
#0 0x0000560eacfc155d in hash_search (hashp=0x560eb4bc7530,
keyPtr=0x7fff9e580f38,
action=HASH_ENTER, foundPtr=0x7fff9e580f37) at dynahash.c:961
#1 0x0000560eacdd4ca8 in json_unique_check_key (cxt=0x560eb4bab428,
key=0x560eb4bab4af "\"k2\"", object_id=0) at json.c:1010
#2 0x0000560eacdd3fd0 in json_object_agg_transfn_worker
(fcinfo=0x7fff9e581088,
absent_on_null=false, unique_keys=true) at json.c:1164
#3 0x0000560eacdd41ee in json_object_agg_unique_transfn
(fcinfo=0x7fff9e581088) at json.c:1210
#4 0x0000560eac9aa4b8 in advance_windowaggregate (winstate=0x560eb4b9ab08,
perfuncstate=0x560eb4bb0fa0, peraggstate=0x560eb4b9c630) at
nodeWindowAgg.c:345
#5 0x0000560eac9a9163 in eval_windowaggregates (winstate=0x560eb4b9ab08) at
nodeWindowAgg.c:964
#6 0x0000560eac9a125e in ExecWindowAgg (pstate=0x560eb4b9ab08) at
nodeWindowAgg.c:2207
#7 0x0000560eac91dae6 in ExecProcNode (node=0x560eb4b9ab08)
at ../../../src/include/executor/executor.h:259
...
```